Eddy,
Eddy Nigg wrote:
On 01/13/2009 12:37 AM, Julien R Pierre - Sun Microsystems:
I agree. The person who wrote that page must have misunderstood the
meaning of the CRL Issuing Distribution Points extension. This extension
is required to be critical in RFC 3280 and 5280 for good reason - it
defines the scope of the CRL. Unless the client software understands the
scope, the CRL is meaningless to it. It should not be confused with a
full CRL.
I think this was Kathleen, however based on comments from here. As I
understood (from Nelson), CRLs with critical CIDP extension fail to load
properly with NSS. Is this correct?
Yes, that is currently the case. CRLs with critical IDP extensions, or
other unsupported critical extensions, will fail to decode. However,
support for IDP will be forthcoming in a future 3.12.x version. I don't
remember exactly what solution was chosen for this problem, since there
are several cert verification and revocation checking code paths in NSS,
but only the libpkix one will eventually support IDP.
_______________________________________________
dev-tech-crypto mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-crypto
